'Response to Preflight Request Doesn't Pass Access Control Check' How to Fix It
On This Page
In this article, you will learn how to fix the “Response to preflight request doesn’t pass access control check” error. This is a CORS error that happens when the browser sends a preliminary OPTIONS request to the server, and the server doesn’t respond with the headers needed to let your request through.
Instant Fix
Use Corsfix to fix the preflight error when you’re calling a third-party API you don’t control. Corsfix responds to preflight requests correctly, then forwards your actual request to the API server-side — bypassing the browser’s CORS check entirely.
// Before — blocked by preflightfetch("https://api.example.com/data", { method: "POST", headers: { "Content-Type": "application/json", "Authorization": "Bearer token123" }, body: JSON.stringify({ query: "test" })});
// After — proxied through Corsfixfetch("https://proxy.corsfix.com/?https://api.example.com/data", { method: "POST", headers: { "Content-Type": "application/json", "Authorization": "Bearer token123" }, body: JSON.stringify({ query: "test" })});Prepend the Corsfix proxy URL to your endpoint. The preflight error goes away because the browser now talks to Corsfix, which handles OPTIONS correctly and forwards the request server-side.
For local development, this works instantly without registration. For live websites, set up your domain (takes 30 seconds).
What Is a Preflight Request?
A preflight request is an automatic OPTIONS request the browser sends before your actual request to ask the server whether the cross-origin request is allowed. Not every request triggers one — the browser only sends a preflight when your request is “non-simple.” This happens when:
- The method is anything other than GET, HEAD, or POST. PUT, DELETE, PATCH always trigger a preflight.
- You’re setting custom headers.
Authorization,X-API-Key, or anything outside the browser’s safe list. - The Content-Type is
application/json. The browser only considerstext/plain,multipart/form-data, andapplication/x-www-form-urlencodedsafe. Almost every modern API uses JSON, so almost every API call triggers a preflight.
The server needs to respond to that OPTIONS request with three headers:
Access-Control-Allow-Origin— which origins are allowedAccess-Control-Allow-Methods— which HTTP methods are acceptedAccess-Control-Allow-Headers— which custom headers are permitted
If any of these are missing or don’t match what the browser asked for, you get the error.
Common Causes
The server doesn’t handle OPTIONS at all. It returns a 404 or 405 because it’s only set up for GET, POST, etc.
Access-Control-Allow-Origin is missing or wrong. The header isn’t present, or it’s set to an origin that doesn’t match yours.
Access-Control-Allow-Headers doesn’t include what you’re sending. You’re sending Authorization, but the server only allows Content-Type.
Access-Control-Allow-Methods doesn’t include your method. You’re sending PUT, but the server only lists GET and POST.
Credentials conflict with wildcard origin. If your request uses credentials: "include", the server can’t use Access-Control-Allow-Origin: * — it must specify the exact origin.
Fix If You Control the Server
If the error is happening when your frontend calls your own backend, you need to configure your server to respond to OPTIONS requests with the correct CORS headers.
Most frameworks have a CORS middleware or module — Express has the cors package, Django has django-cors-headers, Laravel has built-in CORS config, and Spring has @CrossOrigin. Use these rather than setting headers manually. They handle OPTIONS responses automatically.
If you’re using a reverse proxy like Nginx or Apache, explicitly intercept OPTIONS requests, return a 204 response, and include the Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers headers. Make sure these headers also appear on your regular responses, not just the preflight.
The most common mistake is adding CORS headers to your GET/POST responses but forgetting to handle OPTIONS as its own route.
When this isn’t an option — third-party APIs, external services, or APIs you simply can’t modify — a proxy like Corsfix is the easiest solution.
Conclusion
Fix “Response to preflight request doesn’t pass access control check” by ensuring the server responds to OPTIONS requests with the correct Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers headers. If you’re calling a third-party API you don’t control, use a proxy like Corsfix to handle preflight for you.
Corsfix is free to get started, and you only need to upgrade when you go to production.